Driver Objects
Overview
Section titled “Overview”Evidence: Driver Objects
Description: Collect Driver Objects Information
Category: System
Platform: windows
Short Name: drvobjinf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Kernel driver objects contain detailed information about loaded drivers including their dispatch tables, which specify how the driver handles various I/O operations. Analyzing driver object details can reveal rootkit behavior, driver hooking, and malicious driver functionality.
The driver object includes function pointers for DriverInit, DriverStart, DriverUnload, major functions (IRP handlers), and Fast I/O routines. Anomalies in these function pointers can indicate driver compromise.
Data Collected
Section titled “Data Collected”This collector gathers structured data about driver objects.
Driver Objects Data
Section titled “Driver Objects Data”| Field | Description | Example |
|---|---|---|
ObjectAddress | Driver object address | 0xFFFF8A8012345678 |
DriverSize | Size of driver in memory | 524288 |
ServiceKeyName | Service registry key name | \Registry\Machine\System\CurrentControlSet\Services\MyDriver |
DriverInit | DriverEntry address | 0xFFFFF80012340000 |
DriverStart | Driver start routine address | 0xFFFFF80012341000 |
DriverUnload | Driver unload routine address | 0xFFFFF80012342000 |
DriverStartIo | StartIo routine address | 0xFFFFF80012343000 |
AddDevice | AddDevice routine address | 0xFFFFF80012344000 |
Collection Method
Section titled “Collection Method”This collector:
- Creates a snapshot of the
\Driverobject directory - For each driver object, uses IOCTL to retrieve detailed information
- Extracts driver object structure details
- Records all function pointers from dispatch tables
- Creates columns for all 28 Fast I/O functions
- Creates columns for all 28 Major functions
Forensic Value
Section titled “Forensic Value”Driver object analysis enables advanced rootkit detection and driver security analysis. Investigators use this data to detect hooked driver dispatch tables, identify rootkit driver modifications, analyze driver functionality, detect inline hooking of drivers, verify driver integrity, identify suspicious function pointers, and perform advanced malware analysis.